Hi, I am trying to use auditbeat to collect Linux Audit log and send them to our elasticsearch server.
In order to compare performance with auditd, I tried the following configuration:
-a always,exit -F arch=b64 -S all -k exec
With the same configuration for auditd, I found that auditbeat has much higher CPU usage. In particular, auditbeat takes above 14% CPU usage while auditd take maximum 5%. The auditd version is auditbeat-6.2.4-amd64.
Are there any ways to reduce the CPU usages as auditd?